• Auditing 101- Nothing is Ever Free

  • Are you or have you been participating in the government’s meaningful use incentive program? As of December 2013, the Centers of Medicare and Medicaid Services (CMS) have made payments well over $19 billion in meaningful use incentive payments. If you have participated in meaningful use, you should be preparing to be audited. The CMS and Figliozzi and Co., the Garden City, New York, accounting firm contracted to facilitate the Medicare Meaningful Use auditing program, have not reported the number of audits that have been conducted. But many close to the auditing process say they have seen evidence of audits increasing in frequency in recent months—and that some physicians are not prepared when the auditors come calling.

     David Zetter, founder of Zetter HealthCare, a Mechanicsburg, Pennsylvania-based healthcare consulting firm, and a member of the National Society of Certified Healthcare Business Consultants states that in his experience, some physicians just “aren’t doing what they attested to do.” Many small practices leave the legwork of meaningful use to practice managers. Zetter says while it is good to have some level of trust in the practice manager or whomever is in charge of the legwork, it’s always smart for physicians to verify for themselves that the work is being done and not simply assume. “If you don’t, that’s blind assumption. And you are taking a big chance and putting yourself at risk, as well as your entity, your corporation, whatever the case may be, and that’s not very smart nowadays,” Zetter says.

    Attorney Clinton Mikel, JD, says he has also seen anecdotal evidence that audits are occurring more frequently. “From a policy perspective, it makes sense that [audits are] increasing because it is such a hot focus area and, frankly, it’s a way to recoup money,” says Mikel, who is a partner at the health law firm The Health Law Partners. Mikel also states, “It’s also important to respond right away after receiving an audit letter.” Getting the necessary documents in order can be a time-consuming process. Auditors generally allow 14 days to respond to an audit notice.

    Failure to respond with the requested documentation could incur a penalty.

    When you are notified by email that you are being audited, you will be asked to produce the following:

    • Proof that the EHR system used to meet meaningful use requirements is certified.
    • Documentation that quality measure, core, and menu objective data were accurate.
    • Proof that a security risk assessment was conducted and a corrective action plan has been drafted.

    The critical documentation physicians need to have and produce is an auditable source for all data used for registering and attesting to meaningful use. This includes all the objectives, evidence of all yes or no.

    The experts agree that the security risk assessment is one of the requirements that trip up many physicians. A risk analysis is something all physician practices should have had in place since 2005, when the Health Insurance Portability and Accountability Act (HIPAA) Security Rule went into effect. Yet it’s a concept many are still not familiar with, says Zetter. “I know some clients that we have followed up on after the fact come in stating they need assistance, and we find out they blatantly lied about it,” he says, adding that the client attested to having had done a risk assessment only to later admit they didn’t know what it was. The Security Rule has many required standards, the risk assessment is just one of 18 implementation specifications.

    Neglecting to perform regular risk assessment can place physicians at risk of having to pay back incentive money they have received, being penalized by the U.S. Department of Health and Human Service’s Office for Civil Rights for not being in compliance with HIPAA and for making a False Claim.

    Auditing 101- document, document and document more…… 

    Final Note

    JAL Consulting & Associates has tackled all the elements of this compliance jigsaw puzzle, successfully assisting covered entities to make sense of it all and implement the correct policies and procedures that are reasonable and appropriate for their entity.  In addition to this monthly newsletter, Judith has authored a comprehensive and customizable compliance manual complete with the appropriate procedures, policies, staff training and testing. Judith is currently writing Volume II of her HIPAA series: A Professional’s Guide to Understanding HIPAA.